Earlier this month we learned of yet another breach that targeted password management software.
In this instance, hackers accessed OneLogin, a password manager and single sign-on platform, for a full seven hours. They stole a large amount of user data, and may have decrypted sensitive information as well.
These programs are a treasure trove of information, so naturally they are an appetizing target for cybercriminals. But are they vulnerable to the point where we need to avoid using them altogether?
What do these programs have to offer?
Years ago we were all stuck playing a balancing act between security and practicality; we had to come up with passwords that we could remember, but were also strong enough to not get cracked in no time flat. While “password” and “123456” are next to useless as far as passwords go, creating one so complex that you have to write it on a sticky note at your desk (I’ve lost count of how many times I’ve seen this) is equally as ineffective.
With a password manager, however, we didn’t need to remember anything.
These tools allow us to store strong, unique, complex passwords in a vault of sorts. It will link up with your internet browser or smartphone to capture the passwords you enter, file them away, and refill them the next time you visit that site. Some will also flag passwords that are repeated across accounts, and ones that aren’t quite as strong as they should be.
Basically, they simplify the password process enough to allow us to give security the attention and precedence it deserves. But, as we’ve seen with this OneLogin breach in addition to multiple LastPass hacks, these solutions are clearly not foolproof.
So, is it time to jump ship?
I wouldn’t say so.
If a password manager is what it takes for you to be able to maintain strong, unique, complex passwords across your accounts, then I would recommend you continue using one. Realistically, the chances of your password manager getting hacked are much lower than the chances of hacker cracking "password.”
But it’s important for us all to acknowledge that these tools are vulnerable, and that what we really need to do is to add another layer of protection when it comes to our online accounts.
In other words, we need to shift toward two-factor authentication in as many places as we possibly can. Then, even if someone does happen to get their hands on your password, they’d also need to have the answers to your security questions, your cell phone to receive the auto-generated text message, your fingerprint, or whatever other form of authentication is required to actually access your account.
Many apps, websites, and programs have this capability built in as an option, and most are sophisticated enough that it only adds the most minor inconvenience to your login process.
Work with your IT team to identify what additional safeguards are available to you, roll them out to your team, and breathe a little easier the next time you see a major breach making headlines.
Because there will be a “next time.”
As originally published in the American City Business Journals.